logged-in password change, fix some auth bugs

hacklabto · Jan 16, 2024 · c148c7f · c148c7f
1 parent 62f846f
commit c148c7f
Show file tree

Hide file tree

Showing 3 changed files with 74 additions and 8 deletions.
diff --git a/cmd/web/ui/pages/passwd.html b/cmd/web/ui/pages/passwd.html
@@ -1,7 +1,50 @@
 {{ if IsMemberLoggedIn .Ctx.AuthLevel }}
-<h2 class="text-xl">Reset your password</h2>
-<br>
-<p>todo: change password page</p>
+<form class="w-full max-w-sm" hx-post="/passwd/" method="post">
+	<h2 class="text-xl">Change your password</h2>
+	<br>
+	<input type="hidden" name="type" value="change" />
+	<div class="md:flex md:items-center mb-6">
+		<div class="md:w-1/3">
+			<label class="block text-gray-500 font-bold md:text-right mb-1 md:mb-0 pr-4" for="inline-full-name">
+				Current Password
+			</label>
+		</div>
+		<div class="md:w-2/3">
+			<input class="bg-gray-200 appearance-none border-2 border-gray-200 rounded w-full py-2 px-4 text-gray-700 leading-tight focus:outline-none focus:bg-white" id="inline-full-name" type="password" name="current">
+		</div>
+	</div>
+	<div class="md:flex md:items-center mb-6">
+		<div class="md:w-1/3">
+			<label class="block text-gray-500 font-bold md:text-right mb-1 md:mb-0 pr-4" for="inline-full-name">
+				New Password
+			</label>
+		</div>
+		<div class="md:w-2/3">
+			<input class="bg-gray-200 appearance-none border-2 border-gray-200 rounded w-full py-2 px-4 text-gray-700 leading-tight focus:outline-none focus:bg-white" id="inline-full-name" type="password" name="password">
+		</div>
+	</div>
+	<div class="md:flex md:items-center mb-6">
+		<div class="md:w-1/3">
+			<label class="block text-gray-500 font-bold md:text-right mb-1 md:mb-0 pr-4" for="inline-full-name-2">
+				Confirm Password
+			</label>
+		</div>
+		<div class="md:w-2/3">
+			<input class="bg-gray-200 appearance-none border-2 border-gray-200 rounded w-full py-2 px-4 text-gray-700 leading-tight focus:outline-none focus:bg-white" id="inline-full-name-2" type="password" name="confirm">
+		</div>
+	</div>
+	<div class="md:flex md:items-center">
+		<div class="md:w-1/3"></div>
+		<div class="md:w-2/3">
+			<button class="shadow bg-blue-500 hover:bg-blue-400 focus:shadow-outline focus:outline-none text-white font-bold py-2 px-4 rounded" type="submit">
+				Submit
+			</button>
+		</div>
+	</div>
+	{{ if .Data.Error }}
+	<p class="text-red-500">Error: {{ .Data.Error }}</p>
+	{{ end }}
+</form>
 {{ else }}
 {{ if .Data.Token }}
 <form class="w-full max-w-sm" hx-post="/passwd/" method="post">

diff --git a/cmd/web/ui/routes.go b/cmd/web/ui/routes.go
@@ -123,7 +123,29 @@ func registerPasswdRoutes(r chi.Router) {
 
 		typ := r.Form.Get("type")
 		switch typ {
-		// case "change":
+		case "change":
+			newPassword := r.Form.Get("password")
+			if len(newPassword) < 12 { // arbitrary
+				errReply.Error = "password is too short (must be 12 characters)"
+				MaybeHtmxComponent(rw, r, "passwd", errReply)
+				return
+			}
+			if newPassword != r.Form.Get("confirm") {
+				errReply.Error = "passwords do not match"
+				MaybeHtmxComponent(rw, r, "passwd", errReply)
+				return
+			}
+			udn := fmt.Sprintf("uid=%s,ou=people,dc=hacklab,dc=to", r.Context().Value(auth.Ctx__AuthenticatedUser).(string))
+			err := auth.DoChangePassword(udn, r.Form.Get("current"), udn, newPassword)
+			if err != nil {
+				errReply.Error = err.Error()
+				MaybeHtmxComponent(rw, r, "passwd", errReply)
+				return
+			}
+			MaybeHtmxComponent(rw, r, "confirmation", Confirmation{
+				Title:   "Change your password",
+				Message: "Your password has been successfully changed. Please log in again.",
+			})
 		case "reset":
 			username := r.Form.Get("username")
 			if username == "" {
@@ -175,7 +197,6 @@ func registerPasswdRoutes(r chi.Router) {
 				Message: "A confirmation email has been sent to the address associated with your account.",
 			})
 		case "do-reset":
-			// todo: move all of this to microservice
 			token := r.Form.Get("token")
 			username, ok := auth.ValidateResetToken(token)
 			if !ok {

diff --git a/internal/auth/web.go b/internal/auth/web.go
@@ -68,10 +68,12 @@ func AuthenticateHTTP(next http.Handler) http.Handler {
 			r = r.WithContext(context.WithValue(r.Context(), Ctx__AuthenticatedUser, username))
 			// todo: get >member auth level from db
 			r = r.WithContext(context.WithValue(r.Context(), Ctx__AuthLevel, AuthLevel_Member))
-			next.ServeHTTP(rw, r)
 		} else {
-			rw.WriteHeader(http.StatusUnauthorized)
-			// idk, log out, something
+			r = r.WithContext(context.WithValue(r.Context(), Ctx__AuthenticatedUser, ""))
+			r = r.WithContext(context.WithValue(r.Context(), Ctx__AuthLevel, AuthLevel_LoggedOut))
 		}
+
+		// todo: return 401 on api
+		next.ServeHTTP(rw, r)
 	})
 }